When NSG is set from PowerShell or the portal, the operation successfully completes soon but it takes a few minutes before the NSG setting will take effect.
Please set NSG setting immediately.72 votes
When creating NSGs it would be nice to be able to define network object groups that contain a list of IP addresses or ranges which can then be applied to the source or destination addresses of the NSG. If I only want to allow services to a specific set of IPs I have to create a rule for each distinct IP address. Even having the ability to add multiple IPs or IP ranges would work for source/destination but objects would be better so they can be used across multiple rules.171 votes
Custom tags and service tags for Azure public services have been included in our planning. NSG rule grouping has been delivered. Custom tags for explicit IPs is a roadmap item for now.
Currently, it seems I can't create security groups without creating an instance, or rename them for that matter. Or can I?
My use case: I created an instance and and 'SSH' security group with it. Then decided I want to test HTTP as well via public IP. Oh well, I can't rename the SSH group to e.g. 'SSH+HTTP', nor can I create a new group to change the NIC to.336 votes
This remains on our long-term backlog as something we want to offer
Network and Service object group support is missing in Network security Group (NSG). This makes NSG more difficult to Manage and control. Please consider this to make NSG more efficient.34 votes
Thanks for the feedback! we are looking into exposing system tags for STORAGE and SQL in the near term.
System Tag for is also on our roadmap for future improvements
Allow the creation of groups that contain multiple IP addresses. Then allow the application of Network Security Group rules to the group. As an example I could create a group, add the IP addresses of all my Domain Controllers to the group, then apply rules to the group, rather than duplicating rules for each Domain Controller where the only difference is the IP address.70 votes
Thanks for the feedback, we are looking into expose features for grouping and improve rule definitions, we’ll keep you posted
Some time for services to work we need many tcp/udp ports. For example to limit access from DMZ to AD in another subnet we need to create a lot-lot-lot of rules.
Is it possible to create object with needed tcp/udp ports group and apply this service group to one NSG rule.23 votes
Thank you! This is a great suggestion – we are currently reviewing this for future updates to NSGs.
In ARM and RBAC model : Possiblity to have the subnet as an independant resource to be able to say using RBAC : "i want my user1 to be able to deploy VM to subnet 1 and 2 but not 3 because subnet 3 is an infrastructure subnet unhautorized to users."51 votes
Thank you for your suggestion, we added this to our roadmap.
This should be the accepted standard for secure Internet communications. Not sure why Microsoft refuses to commit to this after so many customer requests. Instead, charging customers high prices to communicate securely continues. Google Cloud has already implemented this feature.3 votes
Thanks for your feedback. Can you please elaborate on what specifically you want to see happen? Are you referring to obtaining free SSL certificates or do you want to see a specific product offer a new feature? Thank you.
Microsoft Azure should have predefined access rules for every region.
For example, if someone wants to block traffic for every region except only one, should choose to allow for the specific one and add block rule for every other region.
That would be good for DDos attacks3 votes
Thank you for your suggestion. Did you have the chance to review our NSG documentation? Also, stay tuned for an announcement on our upcoming DDoS solution.
the portal saying NSG updated succeed. But usually it may 1-2 mins until rule taking effect
it will be better if the status are synchronized between NSG portal and VM VFP applying1 vote
Thank you for your suggestion. We are working to improve this experience.
I have a cheap titan cleardb database. I'd like to make it only accessible from within Azure and perhaps from a fixed set of whitelisted IPs.3 votes
Thank you for your suggestion. We are reviewing it and will get back to you.
My scenario include two Virtual Machines acting as Web Servers and a Traffic Manager in-place if the primary node fails I can switch to the other VM that is in a different datacenter. However they are accessible only by specific public IPs and to get Traffic Manager working, I had to create a rule in a different port for ANY.
Wouldn't be easier to have an option on Source Azure Services, like there is in Azure SQL Server firewall?17 votes
Adding the ability to restrict outbound traffic based on Site Categorization would be great. This would give the ability to restrict outbound access to adult, gambling and other questionable sites.4 votes
When the UDR assoc the Subnet is not possible connect by RDP from the Internet, or other services exposed in the internet.
If I could create the NAT Rule on the Azure Firewall I can expose any services in internet and this issue would be resolved.
thank you so much.
Best Regards1 vote
We can not use flow log in classic portal.
I hope we will be able to use this feature in classic too.1 vote
Allowing a method of transparent interception for network/security appliances to allow them to operate, but still be able to take advantage of configuring new applications completely via ARM.
e.g. new app has external load balancer, 3 tier of VMs etc. But we could slot an IPS in between Ext Load Balancer and Web tier, or outside ELB etc.. Without having to also configure a Layer 3 policy & NAT on security appliance.
Ideally have options of both inline, and "SPAN" mode. and be able to attach to Load Balancers, NICs, and where there are tags, eg 'Internet' routes.9 votes
Hi Peter, Thanks for the suggestion, Looks like you are looking for a way to be able to get ERSPAN or port mirroring functionality that can be transparently switched on any VM , and if you slot in a IPS/advanced inline processing functionality of your choice that acts a collector to obtain and do what it needs to do, that would do the job, is that right?
When creating a new VM and a new network with inbound firewall rules, if you add two rules with the same priority it will pass validation (see attached screenshot). It will however later fail the deployment with an obscure error message.
Firewall rule priority conflict detection should happen instantly as you type in the rule textbox. That green checkmark should have been red and saying "there is already another rule with this priority"7 votes
Hi Kirill, thanks for the feedback. This seems like an issue with Portal validation. We will look into fixing this and update the status as appropriate.
MS maintained UDR or firewall rule that enables traffic for MS services to allow outbound traffic from a host in a DMZ. Outbound traffic to all of 443 from a DMZ host to enable backups is a bad design - and using the MS provided IP List includes ALL services including other customers IAS servers - as an attacker all they would need to do to exfil data is to setup an azure host to send it to. It would be better enable outbound traffic for specific services such as backup and have MS maintain a list of that IPs are needed for that to work. Or enable some sort of tagging on the traffic, or a L7 firewall that can filter it.
MS maintained UDR or firewall rule that enables traffic for MS services to allow outbound traffic from a host in a DMZ. Outbound traffic to all of 443 from a DMZ host to enable backups is a bad design - and using the MS provided IP List includes ALL services including other customers IAS servers - as an attacker all they would need to do to exfil data is to setup an azure host to send it to. It would be better enable outbound traffic for specific services such as backup and have MS maintain a list of that IPs…6 votes
Thanks for the feedback, this is a common request and we are working on a few options to optimize the security definition on NSG to include a Service Tag for all azure services.
Leaving RDP open is huge security risk, so I prefer it to set "deny" by default and only open before using RDP. Most likely I do have to remember to close RDP port after doing my work, but it would be nice if there is a timespan that will close the port after it was opened. So if I forgot, I wouldn't leave RDP port open, it would automatically close after given timeout.6 votes
This is really good feedback. We will look into this.
— Anavi N [MSFT]
- Don't see your idea?